CVE-2016-4657 walk-through and intro to browser exploitation

Discussion in 'Switch - Hacking & Homebrew' started by parrotgeek1, Mar 13, 2017.

  1. parrotgeek1
    OP

    Newcomer parrotgeek1 Member

    Joined:
    Dec 2, 2012
    Messages:
    31
    Country:
    United States


  2. iAqua

    Member iAqua Better than you, tee hee

    Joined:
    Dec 7, 2015
    Messages:
    2,140
    Location:
    _____________ PowerLevel: 9002
    Country:
    Canada
    ;), Well that was fast.
     
    NutymcNuty and TheVinAnator like this.
  3. jupitteer

    Member jupitteer Take my energy @hedgeberg

    Joined:
    Feb 17, 2017
    Messages:
    154
    Country:
    United States
    damn, can't wait for userland. Wanna play dem emulators.
     
  4. AecdArmy

    Member AecdArmy Because Its Nintendo

    Joined:
    Jan 4, 2016
    Messages:
    455
    Location:
    The Ninty Ninja HQ
    Country:
    Australia
    Give it a bit we need a DEP Bypass first :P
     
    mark.m.moran likes this.
  5. jupitteer

    Member jupitteer Take my energy @hedgeberg

    Joined:
    Feb 17, 2017
    Messages:
    154
    Country:
    United States
    Yep, but it's still great to see progress so quickly.

    — Posts automatically merged - Please don't double post! —

    At this rate, the switch will be hacked before we get sighax.
     
  6. studio1b

    Newcomer studio1b Member

    Joined:
    Mar 14, 2009
    Messages:
    27
    Location:
    NEW YORK CITY
    Country:
    United States
    keep it up :) great news
     
    mark.m.moran likes this.
  7. TheCyberQuake

    Member TheCyberQuake Certified Geek

    Joined:
    Dec 2, 2014
    Messages:
    1,815
    Location:
    Las Vegas, Nevada
    Country:
    United States
    Remember to keep in mind that they still have to develop a format for homebrew as well, along with tools to develop the homebrew (or sdk leaks). Kinda like how the 3ds has it's .3dsx format
     
  8. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,273
    Country:
    United States
    I have taken the liberty of recording this webpage in action in case anyone is curious as to what it does currently without sitting through an 18 minute video
     
    eskinner3742, Subötaï and Garblant like this.
  9. AecdArmy

    Member AecdArmy Because Its Nintendo

    Joined:
    Jan 4, 2016
    Messages:
    455
    Location:
    The Ninty Ninja HQ
    Country:
    Australia
    Its kinda weird last night I finished the whole thing saying the switch will now crash now I get up to that part only then it crashes...
     
  10. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,273
    Country:
    United States
    It depends on how the script runs I assume since it doesnt even have a 100% success rate. I noticed it should have said that for me as well.
     
  11. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    always crashes before the end for me
     
  12. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,273
    Country:
    United States
    It's supposed too
     
  13. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    What I mean is, it doesn't get to the part where it's supposed to alert "smash.length is now: 0x1337"

    It should get there before crashing.
     
  14. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,273
    Country:
    United States
    You installed/set it up wrong. If you want to test a working version set your DNS to go too http://dnswitch.redthetrainer.com/

    Once there click "tap to test webkit"
     
  15. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    Still crashes after the first two alerts. :huh: Is it working any better for you?
     
  16. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,273
    Country:
    United States
    Like I said. Its supposed to crash. You can see so in my video above as well.
     
  17. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    But it's not supposed to crash; if you watch the first video, he gets all the way through. What I think you're saying is: this is expected behavior since it's just a really touchy exploit?

    Edit: It sometimes makes it to the "misaligned" alert.
     
    Last edited by Hillary_Clinton, Mar 13, 2017
  18. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,273
    Country:
    United States
    The same exact thing happens in the video he crashes. You're crashing because it doesn't do anything yet and is just a POC. You won't be pirating games or using homebrew with this right now. This "exploit" won't do anything other then crash your system
     
    Subtle Demise likes this.
  19. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    Yes, it's a proof of concept, but a critical part of the proof is seeing that the length changed, and I'm not reaching that alert. So this makes me curious exactly what his setup was, if he was reliably having success.

    Edit: Okay, now if I set up my server with his exact files freshly unzipped from his github master (not just poc1.html but also his index.html which redirects to it), then I am able to get to the end of the PoC reliably.
     
    Last edited by Hillary_Clinton, Mar 13, 2017
    Subtle Demise likes this.
  20. gudenaurock

    Member gudenaurock Never a unique idea

    Joined:
    Jul 7, 2010
    Messages:
    3,092
    Location:
    /dev/random
    Country:
    United States
    New to find gadgets and such. ^^

    Edit:
    Got to love use after free exploits. So fun.
     
    Last edited by gudenaurock, Mar 13, 2017

Share This Page